SCOM Management Pack for ATP?

%3CLINGO-SUB%20id%3D%22lingo-sub-270041%22%20slang%3D%22en-US%22%3ESCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270041%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can't%20seem%20to%20find%20one%2C%20but%20I'm%20wondering%20what%20the%20timing%20is%20for%20a%20Management%20Pack%20for%20ATP%3F%26nbsp%3B%20Or%20if%20there%20is%20a%20third%20party%20solution%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20ATA%20management%20pack%20is%20simple%2C%20but%20exactly%20what%20I%20need.%26nbsp%3B%20It%20surfaces%20all%20alerts%20into%20the%20SCOM%20so%20that%20can%20be%20my%20single%20pane%20of%20glass.%26nbsp%3B%20I'd%20like%20to%20have%20that%20for%20ATP%20so%20that%20there%20is%20one%20less%20portal%20I%20have%20to%20check.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestions%20or%20workarounds%20are%20welcome!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEDIT%3A%20UserVoice%20suggestion%20for%20a%20SCOM%20MP%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosoftsecurity.uservoice.com%2Fforums%2F905791-azure-advanced-threat-protection-ata-in-the-cloud%2Fsuggestions%2F35735290-system-center-operations-manager-scom-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftsecurity.uservoice.com%2Fforums%2F905791-azure-advanced-threat-protection-ata-in-the-cloud%2Fsuggestions%2F35735290-system-center-operations-manager-scom-management%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271854%22%20slang%3D%22en-US%22%3ERe%3A%20SCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271854%22%20slang%3D%22en-US%22%3E%3CP%3EVote%20here%20for%20a%20AATP%20Management%20Pack%20for%20SCOM%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosoftsecurity.uservoice.com%2Fforums%2F905791-azure-advanced-threat-protection-ata-in-the-cloud%2Fsuggestions%2F35735290-system-center-operations-manager-scom-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftsecurity.uservoice.com%2Fforums%2F905791-azure-advanced-threat-protection-ata-in-the-cloud%2Fsuggestions%2F35735290-system-center-operations-manager-scom-management%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271852%22%20slang%3D%22en-US%22%3ERe%3A%20SCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271852%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20really%20a%20shame.%26nbsp%3B%20I'll%20leave%26nbsp%3Ba%20suggestion%20on%20UserVoice.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271420%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20SCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271420%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20roadmap%20or%20timeline.%26nbsp%3B%20we%20have%20no%20plans%20for%20an%20AATP%20MP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20no%20HA%20option%20for%20the%20Sensors.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271402%22%20slang%3D%22en-US%22%3ERE%3A%20SCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271402%22%20slang%3D%22en-US%22%3EThanks%20you.%20Do%20you%20have%20any%20roadmap%20or%20rough%20timelines%20on%20when%20this%20could%20be%20coming%3F%20Also%20is%20there%20a%20highly%20available%20deployment%20option%20for%20the%20Azure%20ATP%20standalone%20deployment%3F%20I%20can%20see%20the%20sizing%20guideline%20but%20nothing%20about%20the%20highly%20availability.%20Does%20is%20support%20deployment%20of%20multiple%20Azure%20ATP%20standalone%20servers%20to%20provide%20high%20availability%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270089%22%20slang%3D%22en-US%22%3ERe%3A%20SCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270089%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20Plans%20for%20an%20MP.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270087%22%20slang%3D%22en-US%22%3ERe%3A%20SCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270087%22%20slang%3D%22en-US%22%3EOh%20that's%20a%20really%20interesting%20idea.%20I%20like%20that.%20I%20didn't%20realize%20ATP%20could%20stream%20syslog%20events.%20I%20can%20think%20of%20a%20few%20ways%20that%20would%20be%20useful%20for%20my%20monitoring%20story%20around%20this.%20Thanks%20for%20the%20tip.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20that%20will%20work%20okay%20for%20me%2C%20but%20for%20others%20that%20may%20be%20searching%20and%20just%20to%20complete%20the%20train%20of%20thought%2C%20are%20there%20any%20plans%20for%20an%20eventual%20MP%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270076%22%20slang%3D%22en-US%22%3ERe%3A%20SCOM%20Management%20Pack%20for%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270076%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EWe%20dont%20have%20a%20MP%20for%20Azure%20ATP.%26nbsp%3B%20The%20ATA%20MP%20uses%20events%20from%20the%20ATA%20center%20so%20that%20wouldn't%20be%20possible%20in%20AATP%20as%20there%20is%20not%20ATA%20center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMy%20recommendation%20would%20be%20to%20look%20at%20collecting%20syslog%20with%20SCOM.%26nbsp%3B%20Then%20have%20AATP%20send%20syslog%20to%20SCOM.%3C%2FP%3E%0A%3CP%3E%3CFONT%3E%3CA%20href%3D%22http%3A%2F%2Fcornasdf.blogspot.com%2F2010%2F06%2Fsyslog-monitoring-walkthrough-with.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fcornasdf.blogspot.com%2F2010%2F06%2Fsyslog-monitoring-walkthrough-with.html%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I can't seem to find one, but I'm wondering what the timing is for a Management Pack for ATP?  Or if there is a third party solution?  


The ATA management pack is simple, but exactly what I need.  It surfaces all alerts into the SCOM so that can be my single pane of glass.  I'd like to have that for ATP so that there is one less portal I have to check.

 

Any suggestions or workarounds are welcome!

 

EDIT: UserVoice suggestion for a SCOM MP: https://microsoftsecurity.uservoice.com/forums/905791-azure-advanced-threat-protection-ata-in-the-cl...

7 Replies

Hi

We dont have a MP for Azure ATP.  The ATA MP uses events from the ATA center so that wouldn't be possible in AATP as there is not ATA center.

 

My recommendation would be to look at collecting syslog with SCOM.  Then have AATP send syslog to SCOM.

http://cornasdf.blogspot.com/2010/06/syslog-monitoring-walkthrough-with.html

 

Highlighted
Oh that's a really interesting idea. I like that. I didn't realize ATP could stream syslog events. I can think of a few ways that would be useful for my monitoring story around this. Thanks for the tip.

I think that will work okay for me, but for others that may be searching and just to complete the train of thought, are there any plans for an eventual MP?
Highlighted

No Plans for an MP. 

Highlighted
Thanks you. Do you have any roadmap or rough timelines on when this could be coming? Also is there a highly available deployment option for the Azure ATP standalone deployment? I can see the sizing guideline but nothing about the highly availability. Does is support deployment of multiple Azure ATP standalone servers to provide high availability?
Highlighted

No roadmap or timeline.  we have no plans for an AATP MP.

 

There is no HA option for the Sensors.

Highlighted

That's really a shame.  I'll leave a suggestion on UserVoice.  

Highlighted